Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Fixes 16 Security Vulnerabilities in Patch Tuesday Update

Microsoft plugged a pair of vulnerabilities in Internet Explorer 9 today as part of a sizeable Patch Tuesday update.

Microsoft plugged a pair of vulnerabilities in Internet Explorer 9 today as part of a sizeable Patch Tuesday update.

All totaled, Microsoft fixed 16 security vulnerabilities, including a bug affecting Microsoft XML Core Services that is being exploited in the wild. The patches are spread out across nine bulletins, three of which are rated ‘critical.’ The IE9 bulletin, MS12-044, fixes two bugs that can be exploited to remotely execute code. Though Microsoft said that neither has been seen being targeted in the wild, Rapid7 Security Researcher Marcus Carey told SecurityWeek it is likely that reliable exploits will be available soon.

“Microsoft has estimated that a reliable exploit could be available within 30 days,” he said, “which means they believe it has good potential for remote code execution…We have learned from past experience that when it comes to client-side browser bugs, a lot of effort is spent on actualizing exploits to take advantage of them.”

Attackers have already begun targeting a remote code execution issue affecting XML Core Services. The patch fixes the issue on XML Core Services 3.0, 4.0 and 6.0. This bulletin, MS12-043, is rated ‘Critical’, and should be considered a priority, security experts said.

“If you are paying close attention, you’ll notice that the XML version 5 patch for the bug isn’t shipping today,” opined Andrew Storms, director of security operations at nCircle. “The fix for this version is probably not ready yet, so Microsoft decided to deliver the other patches. So far, all the attacks in the wild utilize XML version 3, so this release, even though not totally complete, seems like a no-brainer.”

 The final critical bulletin, MS12-045, addresses a vulnerability in Microsoft Windows that, like the other critical bugs, can be exploited to remotely execute code. According to Microsoft, the vulnerability exists in the way that Microsoft Data Access Components (MDAC) accesses an object in memory that has been improperly initialized.

“MDAC is something that has been exploited plenty of times in the past including vulnerability CVE-2006-0003, which was leveraged by the vast majority of exploit toolkits,” said Marc Maiffret, CTO of BeyondTrust. “This new MDAC vulnerability looks to be something that also will make its way into exploit toolkits sooner than later given it affects most OS’s and is a straight forward to exploit.”

 The remaining bulletins for this month impact Microsoft Office, Windows, Microsoft Server Software and Microsoft Developer Tools. Each of those six bulletins classified as ‘Important.’

In addition to the patches, Microsoft released Security Advisory 2719662, which allows system administrators to disable the Windows Sidebar and Gadgets on supported versions of Windows Vista and Windows 7 with one Fix it click.

“As many of you are aware, Windows 8 will deprecate the Sidebar and Gadgets, and Gadget developers are already shifting their efforts to the online Windows Store,” blogged Yunsun Wee of Microsoft’s Trustworthy Computing group. “Meanwhile, we’ve discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run.”

The company also issued Security Advisory 2728973, which places certain digital certificates in the Untrusted Certificate Store.

“Though we have no indication that those had been compromised or misused in any fashion, as a precautionary measure we’ve revoked them,” Wee blogged. “A subset of those was in addition found to have code signing permissions, which has earned them a place in the Untrusted Certificate Store.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.